Awesome Typescript Loader version 5.1.0 brings several updates and improvements over the previous stable version 5.0.0, focusing on enhanced developer experience and compatibility with newer tooling.
A key highlight is the updated development dependencies. Version 5.1.0 embraces newer versions of crucial tools like Typescript (upgraded to ^2.9.1 from ^2.7.2), Webpack (upgraded to ^4.12.0 from ^4.1.0) and Webpack CLI (upgraded to ^3.0.3 from ^2.0.10). This ensures compatibility with the latest features and optimizations offered by these core build tools. Dependencies like @types/node, @types/webpack and @types/mocha were also updated to align wih the new main versions of Webpack and Typescript. Developers benefit from newer syntax support, performance enhancements, and bug fixes included in these updated dependencies.
Furthermore, the upgrade includes updates to other developer dependencies like chai, fs-extra, prettier, and tslint, promoting code quality and consistency throughout the development process. The unpacked size decreased slightly, indicating potential optimizations.
While the core dependencies remain largely the same, the jump in development dependency versions signals a commitment to staying current with the evolving Javascript ecosystem. Developers considering an upgrade will benefit from the newer features and potential performance gains tied to these updated tools. The upgrade suggests a focus on ensuring the loader remains a robust and well-maintained solution for Typescript integration with Webpack.
All the vulnerabilities related to the version 5.1.0 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
